The new advanced encryption standard (AES) algorithm was designed for commercial applications. As per its original specification, the AES algorithm runs efficiently in both hardware and software. This requirement not only increases the probability of a software-based brute force success, but also imposes a mathematical structure that may shrink the search space of the attack.
AES was formerly known as Rijndael and is the U.S. Government's new type-3 algorithm. The algorithm is cryptographically strong, and is efficient in both hardware and software embodiments. The algorithm features a scalable key length. This attribute, together with other advantages, ensures that the AES algorithm will be effective for commercial applications for many years.
A complete description of the AES algorithm can be found in the Federal Information Processing Standard (FIPS-197). For the AES algorithm to run efficiently in software, it was constructed with multiple rounds (or loops) of arithmetic functions that operate on byte-sized or 32 bit word-sized variables over GF(28) and GF(2). Operations over these two Galois Fields results in algorithm behavior that is highly non-linear. Each round includes a substitution operation, a row shift operation, a column mixing operation, and an addition operation for combining a sub-key variable addition operation.
The substitution operation includes a non-linear byte substitution that operates independently on each byte of the 128 bit input to this stage. The substitution includes a series of linear operations over both GF(28) and GF(2). The relationship between operations over these two fields results in an overall mapping that is non-linear. This property provides strength against linear and differential cryptanalysis.
Following the substitution operation is a straightforward row-wise byte shifting operation. Next, a column-wise polynomial transformation is applied if a count indicates that the total number of rounds has not been completed yet. The transformation includes a third order polynomial multiplication over GF(28). The row shifting and column transformation operations provide mixing or diffusion layers to the algorithm. Finally, a key variable addition operation is performed. This operation is a straightforward modulo-two addition of an input variable with the appropriate sub-key variable over GF(2).
The row shifting and column transformation operations provide layers of diffusion for the AES algorithm. However, there is no redundancy in the AES diffusion layers. The algorithm's cryptographic strength depends on the mixing offered by the diffusion layer operations working together over multiple rounds. If an attack is identified that eliminates the contribution of any of these operations, the overall cryptographic strength of the algorithm will be compromised.